Re: Request to add parameters to createSession (bug 17660)

Hi Joe,

I tend to agree with Steven, though I also completely agree with what you say below about TLS.

One of the objectives of the EME was to enable client scripts to be largely or entirely keysystem-agnostic (except in the actual selection of a preferred keysystem, when there is a choice). As things stand the procedure is always the same: take the initData from the needkey event, pass it back to create a MediaKeySession and then ferry messages to and fro between the CDM and the application server.

Adding a space for appData creates scope for keysystems to place keysystem-specific requirements on what that contains, requiring keysystem-specific procedures on the client side.

If, however, you are proposing that the appData is *opaque to the CDM*, then things might be different. i.e. the appData would be an opaque BLOB that the CDM is supposed to include within the license request message (protected by whatever mechanisms the CDM uses to protect its messages). Is that what you meant ? I'd have to think further about that.

Regarding TLS, we have been working in the W3C WebCrypto WG to define cryptographic primitives and key storage such that you can build lightweight secure application protocols in Javascript without TLS.

…Mark

On Oct 16, 2012, at 9:36 AM, Joe Steele wrote:

Although the specific use case I cited was for authentication, this could be used by an application to include any additional information for the key system to use in subsequent key requests while not relying on TLS channel security.

I have some specific reasons for not wanting to rely on TLS for this usage:
1. Establishing a TLS channel requires several back and forth messages, while a protocol that relies on known keys can be more succinct. This is a significant network scaling concern when you are talking about delivering millions of licenses (for example an Olympic event).
2. High-availability TLS endpoints are more expensive than the same server without TLS.
3. Relying on TLS requires that the root for the servers certificates be trusted on the client end. You have to purchase those certificates from one of a relatively small group of trusted vendors in order to be immediately compatible across a wide range of browsers, which introduces additional cost. Relying on an independent PKI infrastructure (while more difficult to setup) allows for some additional scaling benefits.
4. Relying on the browsers trusted roots leaves the user (and the key system) vulnerable to TLS-proxy attacks (http://www.thoughtcrime.org/software/sslsniff/). Having a more limited set of trusted roots limits the effectiveness of these attacks.

I believe this change will make authors lives easier by allowing them to build high availability video applications while not limiting them to a single mechanism (TLS) for maintaining user confidentiality. This will also encourage them to write their UI in HTML as opposed to relying on browser specific behaviors/configuration for securing their information gathering.

I don't believe this would encourage any more fragmentation than will exist naturally. I believe a reasonable default behavior for clearKey would be to include the additional parameters in a JSON envelope along with the key request as you have indicated you are doing.

Joe Steele
steele@adobe.com<mailto:steele@adobe.com>

On Oct 15, 2012, at 4:19 PM, Steven Robertson wrote:

This seems like it would encourage fragmentation across key systems,
which would compromise the usability of the spec for authors.

I'm not sure I understand the reason authentication or other side
channel information couldn't be obtained through more standard means
(e.g. credentialed XHR or query parameters). Further, it seems that
this would not afford any additional protection against client-side
manipulation or forgery. The only effective difference between passing
information in the proposed manner and passing via standard means
appears to be that the former is proprietary to a particular key
system. Is there another motivation for this change which I'm not
seeing?

Our current prototypes have thus far been successful in remaining
format- and key-system-agnostic except in the places where such
parameters are directly required. We do this by wrapping all license
requests and responses in a JSON envelope on an HTTPS request that
provides a consistent, cross-environment, cross-key-system approach to
common tasks such as credential verification, descriptive error
signaling, and request retry. This has greatly simplified our
application infrastructure and license server interface. I would very
much like to maintain that simplicity, and I suspect that the proposed
change would lead us away from that.

On Mon, Oct 15, 2012 at 1:40 PM, Joe Steele <steele@adobe.com<mailto:steele@adobe.com>> wrote:
I reopened this bug a few weeks ago because I would like to see a mechanism
for passing application level parameters down into the CDM when the key
session is created.

As I said on on of the recent calls, my reasoning is that some CDMs may
transmit authentication/authorization data in-band (that is via CDM-specific
mechanisms).

An example of this would be:

<script>
 function handleKeyNeeded(event) {
   var video = event.target;
   var initData = event.initData;
   var appData = { username: "foo", token: "A53DF98700ABFE11",
sessionNonce: "DJKGDH+!9861XxbODY1287x===" };

   if (!video.keys)
     video.keys = MediaKeys("com.example.somesystem");
   if (!video.keys)
     throw "Could not create MediaKeys";

   var keySession = mediaKeys.createSession(mimeType, initData, appData);
   if (!keySession)
     throw "Could not create key session";

   keySession.onkeymessage="handleMessage(event)";
 }

 function handleMessage(event) {
   var keySession = event.target;
   var message = event.message;

   var xmlhttp = new XMLHttpRequest();
   xmlhttp.open("POST", "http://.../getkey", false);
   xmlhttp.send(message);
   var key = new Uint8Array(xmlhttp.response);
   keySession.addKey(key);
 }
</script>

<video src="foo.dash" autoplay onneedkey="handleKeyNeeded(event)"
onkeymessage="handleMessage(event)"></video>


The appData parameter would be optional and NULL by default. CDM's which do
not handle this parameter could simply ignore it if passed.
This is a use-case which would be used by at least one content protection
mechanism today, possibly more than one.


Joe Steele
steele@adobe.com<mailto:steele@adobe.com>